Failure to use HTTPS URLs¶
ID: rust/non-https-urlKind: path-problemSecurity severity: 8.1Severity: warningPrecision: highTags: - security - external/cwe/cwe-319 - external/cwe/cwe-345Query suites: - rust-code-scanning.qls - rust-security-extended.qls - rust-security-and-quality.qls
Click to see the query in the CodeQL repository
Constructing URLs with the HTTP protocol can lead to insecure connections.
Furthermore, constructing URLs with the HTTP protocol can create problems if other parts of the code expect HTTPS URLs. A typical pattern is to use libraries that expect secure connections, which may fail or fall back to insecure behavior when provided with HTTP URLs instead of HTTPS URLs.
Recommendation¶
When you construct a URL for network requests, ensure that you use an HTTPS URL rather than an HTTP URL. Then, any connections that are made using that URL are secure TLS connections.
Example¶
The following examples show two ways of making a network request using a URL. When the request is made using an HTTP URL rather than an HTTPS URL, the connection is unsecured and can be intercepted by attackers:
// BAD: Using HTTP URL which can be interceptedusereqwest;fnmain(){leturl="http://example.com/sensitive-data";// This makes an insecure HTTP request that can be interceptedletresponse=reqwest::blocking::get(url).unwrap();println!("Response: {}",response.text().unwrap());}
A better approach is to use HTTPS. When the request is made using an HTTPS URL, the connection is a secure TLS connection:
// GOOD: Using HTTPS URL which provides encryptionusereqwest;fnmain(){leturl="https://example.com/sensitive-data";// This makes a secure HTTPS request that is encryptedletresponse=reqwest::blocking::get(url).unwrap();println!("Response: {}",response.text().unwrap());}
References¶
OWASP Top 10:A08:2021 - Software and Data Integrity Failures.
Rust reqwest documentation:reqwest crate.
Common Weakness Enumeration:CWE-319.
Common Weakness Enumeration:CWE-345.